Microcircuits implementing a cryptographic algorithm are equipped with a central processing unit (CPU). Some are equipped with circuits dedicated to cryptographic computing, for example a cryptographic coprocessor. These microcircuits include thousands of logic gates that switch differently according to the operations executed. These switches create short variations in current consumption, for example of a few nanoseconds that can be measured. In particular, CMOS-type integrated circuits include logic gates that only consume current when they switch, i.e. when a logic node changes to 1 or to 0. Therefore, the current consumption depends on the data handled by the central unit and on its various peripherals: memory, data flowing on the data or address bus, cryptographic coprocessor, etc.
Furthermore, certain software programs, produced in particular using encryption or obfuscation techniques, such as the “Whitebox Cryptography” technique, may integrate a secret data in such a way that it is very difficult to determine it by reverse engineering. Certain software programs may also receive a secret data from outside through a secure communication channel. Such microcircuits may be subjected to so-called side channel analysis attacks based on observing their current consumption, or their magnetic or electromagnetic radiation, or any other information that can be observed while a cryptographic algorithm is executed. Such attacks aim to discover the secret data they use, in particular their encryption keys. Frequent side channel attacks implement statistical analysis methods such as SPA (“Single Power Analysis”), DPA (“Differential Power Analysis”), CPA (“Correlation Power Analysis”) or EMA (“ElectroMagnetic Analysis”). SPA analysis normally only requires the acquisition of a single current consumption trace. It aims to obtain information about the activity of the integrated circuit by observing the part of the consumption trace corresponding to a cryptographic computation, since the current trace varies according to the operations executed and the data handled.
Software may also undergo such side channel attacks during their execution by a circuit.
DPA and CPA analyses enable the key of an encryption algorithm to be found by acquiring numerous data or measurement traces and by statistically analyzing these traces to find the information searched for. They are based on the assumption that the consumption of a CMOS-type integrated circuit varies when a bit changes from 0 to 1 in a register or on a bus, and does not vary when a bit remains equal to 0, remains equal to 1 or changes from 1 to 0 (discharge of the stray capacitance of the MOS transistor). Alternatively, it can be considered that the consumption of a CMOS-type integrated circuit varies when a bit changes from 0 to 1 or changes from 1 to 0 and does not vary when a bit remains equal to 0 or remains equal to 1. This second hypothesis enables the conventional “Hamming distance” or “Hamming weight” functions to be used to develop a consumption model that does not require the structure of the integrated circuit to be known to be applicable. DPA analysis involves amplifying this consumption difference using statistical processing on numerous consumption traces, aiming to highlight a measurement difference between two families of consumption traces distinguished according to formulated hypotheses.
CPA analysis is based on a linear current consumption model and involves computing a correlation coefficient between, firstly, the consumption points measured that form the captured consumption traces and, secondly, an estimated consumption value, computed from the linear consumption model and a hypothesis on the variable to be discovered that is handled by the microcircuit and on the value of the encryption key.
Electromagnetic analysis (EMA) is based on the principle that a microcircuit may leak information in the form of near or far field electromagnetic radiation. Given that transistors emit electromagnetic signals when their state changes, these signals can be treated like the current consumption variation signals by an analysis such as one or other of the SPA, DPA and CPA analyses.
Other side channel attacks exist, such as “Template attacks” and “Mutual Information Analysis” (MIA). In other instances an attack can include combining side channel technique and a reasonable brute force effort. All of the above-mentioned attacks are based on a time alignment of all the analyzed traces. In other words, all the measurements performed at a given time, for example from the time the execution of a command is activated by the circuit, must correspond to the same value handled by the algorithm.
To protect such circuits and the cryptographic algorithms they execute against such side channel attacks, counter-measures are generally provided. One type of counter-measure aims to avoid such a time alignment. For this purpose, these type of counter-measures introduce variations in the clock frequency supplied to the calculation circuits, or introduce dummy clock cycles or dummy operations. Another type of counter-measure involves adapting a given algorithm to be protected to render the data handled by the circuit independent of their actual values. Certain counter-measures of this type—that can be referred to as “masking-type counter-measures”—use a random mask (binary number) that is combined with another data to be protected such as the key and/or the message during the execution of the ciphering method. This type of counter-measure is effective but requires the algorithm to be modified, and thus requires a coprocessor specially provided for its implementation in the case of execution by a dedicated coprocessor, or a more complex program in the case of execution by the central processing unit of the microcircuit or a programmed coprocessor.
A counter-measure by multiple executions can be implemented with a conventional coprocessor that does not implement any specific counter-measures. It merely involves executing the ciphering method several times by means of false keys or false messages. For this purpose, a counter-measure program is provided for example that controls the ciphering program or the coprocessor, and makes it execute the ciphering method several times with the false keys, in a random order, such that the execution of the ciphering method with the right key (i.e. the authentic key) is “hidden” in a set of dummy executions. This counter-measure, by multiple executions, offers the advantage that it can be implemented with a conventional coprocessor not including any specific counter-measure means.
It is sometimes possible to restore this time alignment, by means of specific expertise and many attempts, in particular using a high number of traces to be realigned or applying some signal processing. Despite the foregoing, cases remain where it is not possible to restore this time alignment, such that the side channel tests fail even though there is a secret data leakage present in the traces.
To check the level of security offered by a secure integrated circuit intended to be marketed, qualification and/or certification tests are planned before the circuit is marketed, where these tests can include tests of the robustness of the integrated circuit to side channel analyses aiming to discover the secret data handled by the integrated circuit. There are also tests enabling the resistance of a software program to side channel attacks to be assessed.